As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

A further example in this 21 – 40 group is AntiVirGear,again the same user exploit mode is used is stealth based malware, and according to McAfee’s Site Advisor provides a host of bad downloads for the unsuspecting user. AntiVirGear makes a fairly recent entrance to this scene, and appears within spyware forums and other security sources e.g. Symantec (September 13, 2007), but AntiVirGear is not new. The exploit variety here is based upon the Trojan Zlob or variant, well known in earlier names such as spysherriff, antispyware-gold, etc., with recorded sightings form 2004 and 2005.

The further batch 21 – to – 40 is shown here in Table 4.

Again many are alive and well and doing good business for the RBN despite most of the core IP addresses are blacklisted. However when compared with the 1st article again there is the common thread of interrelated hosts or mirror servers, see Table 5.

The tables in the 1st article and the tables here, and RBN related information helps to provide two important observations:

(a)The most important $$$ earning or key activities e.g. Malwarealarm, AntiVirGear, within the “fakes” category, but also as shown with the current PDF and Gozi attack are directly served with AS 40989 = RBNetwork (RBN).

(b)36 out of 40 of the RBN fakes are hosted or mirrored via AS 27596 = Intercage

Intercage (US) AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27596 - level of responsibility?). Intercage has a history relating to the RBN “fakes” as noted back as early as 2005 / 2006 for example Spyware Warrior forum. In February 2006 there was an online debate where ZDnet questioned ISC Sans suggestion to drop the blocking of all of Intercage, their arguement being there were “some” legitimate customers there.

There are two conclusions that could be made from this:

1.It has been suggested to the authors of this blog, it will not be until some of the victims of these fakes and RBN begin and successfully pursue legal actions against such server enterprises the legitimate ones will ensure they consider a level of due diligence in accepting or continuing to be the vehicle for such illegal activities.

2.Clearly IP blocking in a fast, responsive and comprehensive “OpenDNS” CYBERINT format as a method for ISPs and users is long overdue. There is a big difference between say iPower when they are careless victims themselves in getting 10,000 web sites hacked, and such an obvious case as Intercage - AKA RBN.

Finally as a reminder that this is a “now” problem and large scale see a sample in Table 6 from 21- 40, this would show about 3-4 million users as visitors worldwide to the 40 sites, per month “NOW”.

The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (here). As stated within this blog earlier the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi TrojanThe exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.

To confirm:

Download binary from IP address 81.95.146.130

Then send your personal data for ID theft to 81.95.147.107

Both 81.95.146.130 and 81.95.147.107 is served by Autonomous System AS 40989 = RBN AS RBusiness Network,

Perhaps more ISPs and users should simply blocklist the whole IP range, in and out?

In a continuation of the discovery of the RBN’s “Retail Division” one of the most important exploit delivery methods is the fake; anti-spyware and anti-malware for PC hijacking and personal ID theft, this is a source of revenue for the RBN also from a direct sale.

For example, MalwareAlarm is a dangerous fake anti-spyware software and it is an update version of Malware Wiper. MalwareAlarm is stealth based malware, according to McAfee’s Site Advisor they tested 279 “bad” downloads. The methodology is to get the user to use a “free download”, MalwareAlarm then displays a warning message to purchase the paid version of MalwareAlarm, and of course the damage is done with the initial action.

The purpose of this article is to demonstrate the multiplicity of nodes, connections and delivery routes. However, it is a prompt for the community of the need for real-time CYBERINT (see blog here) based blocking and shield services. As is shown below, many are either or both SBL and XBL blacklisted, but this is only the core IP address and not the multiplicity of other mirrored hosts and servers.

There are several well known “RBN retail brands” shown below (Table 1) we show the “Top 20”;

All of these are blacklisted elsewhere in some form, but still highly active at this time, as in any product marketing model some are entering into a mature phase and others are newer variants.. As seen within Table 1, this can produce some confusion, due to the apparent array of domains and IP addresses. Table 2 provides a simplification to the ten actual hosts and servers involved. As is a common theme of this blog again it has to be noted the several major US based servers involved, we hope unwittingly? Also note the potential for MITM “inside the server” website exploits of a further 1 million + web sites. For RBN blocking purposes 4/5 of the below would prevent access by the majority. The RBNetwork - AS 40989, encompasses AS28866 (AKIMON AS Aki Mon Telecom) and AS41173 (SBT AS SBT Telecom) as previously mentioned within this blog.

In answer to a few readers’ queries and one of the major problems with an analysis of the RBN’s activities is “What is the scale of this, how do we quantify?” In Table 3 below shows a limited sample and is provided in this brief form to deliberately demonstrate the numbers. It should be understood that luckily not every site visitor will download the exploits. A simple “Google” of some these examples will show the numerous forum and queries of how to remove the resultant infections. Included is the “Alexa” rank; to demonstrate jellyfish.com an auction site recently acquired by Microsoft, has about the same rank as MalwareAlarm.

As requested there will be a more detailed follow up on this topic, plus the requested RBN IP block information. Also a forthcoming article will shed light on the RBN’s payment and secure data transmissions.

An interesting story in Wired.com by Ryan Singel, based on email correspondence from a representative claiming to be from the Russian Business Network (RBN). As reported, the RBN's man said current reports about the organization “..... is subjective opinion based on guesswork." In keeping with this blog's "quantitative" format we make an attempt to shed some light on this.

Figure 1. Shows a representation of the RBN from the perspective of web infrastructure, it provides three levels of operation:

Although they are in the RBN Autonomous System they are within other Autonomous Systems. These should be discounted from the RBN "bad" or "ugly" groups.

Therefore, CONNECTCOM’s spokesman to Wired.com is either:

(a) Another innocent caught in the bad and ugly RBN’s maelstrom, they may actually own the RBN, but not the one we know.

(b) A RBN (bad or ugly) stooge trying to misdirect

As with earlier posts here, re; RBN hiding within US hosts, we have to recognize the RBN does the same in Russia and elsewhere. The requirement is to focus on the RBN "ugly" Retail Division. The specific source for website exploits, ID theft, etc.

A great article and associated blog articles on the Russian Business Network (RBN) from Brian Krebs in the Washington Post. However, the puzzle and a theory for a few of us has always has been, where are the RBN's; external communications, web site exploit, and ID theft divisions, let us call it the RBN retail division. These have to be outside their conventional Nevacon / RBNnetwork / Aki Mon, those are becoming well blocked on SBL XBL etc., thanks to Spamhaus et. al. Despite what some researchers may think about domestic PCs, the logic for the RBN has to base these operations within accessible hosts. Also from inside any server it is much easier to use "Man-in-the-Middle" (MITM) techniques to exploit neighboring web sites and for personal ID theft. Where better than within a low cost US host that only cares about the credit card used for not what the web site does, and you have over 1 million web sites and their users to prey on?

So here is the "good news" - the RBN have moved some key domains as of today, and luckily every time they do this it reveals more of their bases. Below is just a sample of many, if you put them on the outside of the major hosting hubs, you will starve the main body.

"The Enemy Within the Gates" - all "within" major US hosts, also note every one has fictitious domain registrants and is breaking the TOS (terms of service) for hosting:

iframecash com = 38.97.225.135 = Hiding within Cogent Communications (DC, US) moved back onshore to the US from Aki Mon Telecom

If we can persuade these major US hosts / servers to act voluntarily and quickly, as we did with Layered Technologies (iframe cash com) then at least we could prevent a great deal of web site exploits from "within" the major US hosting servers.

Just to re-emphasize listed above provides RBN direct access to over 1 million web sites and their users.

The recent detailed and fascinating reports within CIO written by By Scott Berinato in conjunction with SecureWorks researcher Don Jackson was focused on the technical analysis of form-grabbing software, via access to 76service (dot)com.Subscribers to 76 service could log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.

Within the analysis and articles there is reasonable logic as to the 76service servers being based in Panama, but unfortunately they are or were based within the US.The Mpack DIY exploit package involving the "HangUp Team” which Jackson had found a coder who posted the news of 76service’s demise, all of these players have connections to the Russian Business Network (RBN), according to several researchers, including Jackson, ref: CIO.

In a long term watch analysis of DNS for 76service (dot) com (66.232.122.239) and related, reveals a detailed hosting history and CBL/ SBL blacklisting (see below), but apparently is still currently hosted by "coolservecorp (dot)net"i.e. Noc4hosts Inc, with their servers stated as being in Lykes Building, Tampa, FL, USA. Although 76service appears closed, they may still be dwelling the hive of associated domains i.e. Key related domains @ 66.232.122.239 - carbon coolservecorp net: 76service.com, gamesboard.ru, newpulses.com, odeku.net, putany.net, sosnovsky.net (see below for further domains for interested researchers).

This is similar to another RBN retail outfit "iFrame Cash", where hosting was shown until recently by another US based web host Layered Technologies.The "carbon coolservecorp net" server is not the only one involved also; host33.coolservecorp.net, and aa.18.1343.static.theplanet.com.

Any reasonable conclusion again asks the question; are the RBN’s “bullet proof” servers operating with apparent impunity from within large low cost shared and dedicated hosting services within the US at coolservecorp / Noc4Hosts, GlobalNet Access (GNAX), The Planet or similar?

Even more concerning is the fact that there are reports of website hacking, iFrame exploits and hijacking at these hosts, not quite reported yet on the scale of the recent iPower (10,000+ sites exploited) problem but significant and growing. However the potential "internal" target for the RBN here is staggering, if correlating the potentially “infectable” IP domains from AS29802, AS3595, and AS29802 is a total of 1,296,640 IP addresses.

For the authors here, this analysis similarly proves the color of the credit card is more important than any due diligence concerning the activities of the client webmaster to most hosting outfits. Perhaps when hacked webmasters or those individuals who have been subject to ID theft eventually sue the hosts responsible for housing the cause, perhaps some due diligence may ensue.

The final conclusion is it would appear the RBN does not have to hack into servers to gain access to websites and a major hosts legitimate customers, they are already inside.

According to net-security.org Todd Abrams, the CEO of Layered Technologies had released a statement in which he stated that the company's support database was a target of malicious activity on the evening of September 19th 2007. The incident may have involved the illegal downloading of information such as names, addresses, phone numbers, email addresses and server login details for up to 6,000 clients.

Another blog had reproduced a copy of the email to Layered Technologies abuse team, concerning their dedicated hosting of one of the Russian Business Network’s (RBN) key “commercial” web enterprises ref: iFrame Injection Source? . Although there was never a reply to any email, but possibly with the added assistance of this blog’s bigger friends, they or the RBN obviously took action. This is seen by the change; on September 9th 2007 the change from 72.36.199.58 (USA- Layered Technologies Hosting) to 81.95.153.245 (Russian Federation - Aki Mon Telecom hosting – AKA “RBN”). For those who like the specific details see http://rbnexploit.blogspot.com.

It is reasonable to assume the later attack on Layered Technologies was part of the RBN’s normal procedure to wreak revenge upon those who try to rid themselves of the RBN’s grip. This was just as they did to National Bank of Australia, the Bank of India, and many others.

Hopefully more web hosts will examine who they have as customers in the first place, rather than the value of the credit card?

Blog Note;

All trademarks and copyrights on this blog are owned by their respective owners. Unless otherwise stated, opinions expressed here are entirely that of rbnexploit.blogspot.com. All analyses are for personal edification, educational, and research purposes only. Any DNS, IP address, domain, or AS # mentioned is derived from exhaustive research and cross correlation from 3rd parties. Any queries contact rbnexploit (at) gmail.com